The main idea of this blog is share solutions or walk arounds of problems I faced.

Thursday, June 19, 2014

Report on Vulnerable Gems with Bundle-Audit

Bundler Auditis a gem that reports on vulnerable gems in your Gemfile. Its similar to Gemnasium or https://hakiri.io/facets but can more easily be integrated into Jenkins. Its also recommended by the Brakeman people.

Install

Add the following to your Gemfile in the development group:

gem 'bundler-audit'

Run

bundle install

Run Locally

Run

bundle-audit update
bundle-audit

This will output any vulnerable Gem versions you have, or a nice green message if you're ok

Integrate with Jenkins

To display the results on the project home page

Add the following to your "Execute Shell" build step:

bundle-audit update
bundle-audit > bundle-audit.txt

Then under "Post build actions", add "Publish rich text message"

Select "confluence" markup, and paste the following:

h2. Bundle Audit Results
${FILE:bundle-audit.txt}

Now re-run your build and the results will display

Take it a step further and make Jenkins fail when there's vulnerable gems

Modify your execute shell build step to check the output of bundle-audit. Here's a simple example script which does this (see SnapDeploy for example)

1 comment:

Business analytics is a very broad term. A lot of different analytics like marketing, customer, risk and operations analytics come under this category. It accumulates a large amount of data, puts it together and provides us with a business analytics solution that will enable strategic decision making. GAP Analysis